diff --git a/pkg/apis/core/validation/shoot.go b/pkg/apis/core/validation/shoot.go index 235f04e4b11..35c30480993 100644 --- a/pkg/apis/core/validation/shoot.go +++ b/pkg/apis/core/validation/shoot.go @@ -293,7 +293,43 @@ func ValidateShootSpecUpdate(newSpec, oldSpec *core.ShootSpec, newObjectMeta met // ValidateProviderUpdate validates the specification of a Provider object. func ValidateProviderUpdate(newProvider, oldProvider *core.Provider, fldPath *field.Path) field.ErrorList { - return apivalidation.ValidateImmutableField(newProvider.Type, oldProvider.Type, fldPath.Child("type")) + allErrs := field.ErrorList{} + + allErrs = append(allErrs, apivalidation.ValidateImmutableField(newProvider.Type, oldProvider.Type, fldPath.Child("type"))...) + allErrs = append(allErrs, validateWorkersUpdate(newProvider.Workers, oldProvider.Workers, fldPath.Child("workers"))...) + + return allErrs +} + +func validateWorkersUpdate(newWorkers, oldWorkers []core.Worker, fldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + oldWorkersMap := make(map[string]core.Worker) + for _, w := range oldWorkers { + oldWorkersMap[w.Name] = w + } + for i, w := range newWorkers { + if _, ok := oldWorkersMap[w.Name]; ok { + oldWorker := oldWorkersMap[w.Name] + allErrs = append(allErrs, validateWorkerUpdate(&w, &oldWorker, fldPath.Index(i))...) + } + } + return allErrs +} + +func validateWorkerUpdate(newWorker, oldWorker *core.Worker, fldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + allErrs = append(allErrs, validateCRIUpdate(newWorker.CRI, oldWorker.CRI, fldPath.Child("cri"))...) + + return allErrs +} + +func validateCRIUpdate(newCri *core.CRI, oldCri *core.CRI, fldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + + if (newCri == nil && oldCri != nil) || (newCri != nil && oldCri == nil) || (newCri != nil && oldCri != nil && newCri.Name != oldCri.Name) { + allErrs = append(allErrs, field.Invalid(fldPath, newCri, "can't update cri configurations")) + } + return allErrs } // ValidateShootStatusUpdate validates the status field of a Shoot object. diff --git a/pkg/apis/core/validation/shoot_test.go b/pkg/apis/core/validation/shoot_test.go index e5e5a51545d..6f5eea3c789 100644 --- a/pkg/apis/core/validation/shoot_test.go +++ b/pkg/apis/core/validation/shoot_test.go @@ -1133,6 +1133,33 @@ var _ = Describe("Shoot Validation Tests", func() { })))) }) }) + + It("should not allow update cri configurations enablement", func() { + newShoot := prepareShootForUpdate(shoot) + newWorker := *shoot.Spec.Provider.Workers[0].DeepCopy() + newWorker.Name = "second-worker" + newWorker.CRI = &core.CRI{Name: core.CRINameContainerD} + shoot.Spec.Provider.Workers = append(shoot.Spec.Provider.Workers, newWorker) + + newShoot.Spec.Provider.Workers = []core.Worker{newWorker, shoot.Spec.Provider.Workers[0]} + newShoot.Spec.Provider.Workers[0].CRI = nil + newShoot.Spec.Provider.Workers[1].CRI = &core.CRI{Name: core.CRINameContainerD} + + errorList := ValidateShootUpdate(newShoot, shoot) + + Expect(errorList).To(HaveLen(2)) + }) + + It("should not allow update cri name", func() { + shoot.Spec.Provider.Workers[0].CRI = &core.CRI{Name: "test-cri"} + newShoot := prepareShootForUpdate(shoot) + + newShoot.Spec.Provider.Workers[0].CRI = &core.CRI{Name: core.CRINameContainerD} + + errorList := ValidateShootUpdate(newShoot, shoot) + + Expect(errorList).To(HaveLen(1)) + }) }) Context("dns section", func() {